Social media network TikTok has been fined €345 million ($368 million) by a European Union regulator over alleged child data breaches as the bloc continues its clampdown on international tech giants.
The fine comes after a two-year inquiry by Ireland's Data Protection Commission (DPC), which, given the location of many Big Tech company headquarters in Dublin, plays a key role in policing the EU's General Data Protection Regulations (GDPR).
The DPC began examining TikTok's compliance with GDPR in relation to platform settings and personal data processing for users aged under 18 years old in September 2021.
Why has TikTok been fined?
While it found no infringement of age verification measures for children under 13, it highlighted in its ruling on Friday how new TikTok accounts were set to public by default, meaning their content was viewable by anyone.
It also criticized TikTok's "family pairing" mode, designed to link parents' accounts to those of their teenagers, for failing to adequately verify parent or guardian status, including allowing adult users to turn on direct messaging for users aged 16 and 17 without their consent
Furthermore, it found that the platform encouraged teen users to use more "privacy intrusive" options when signing up and posting videos.
What has TikTok said?
Chinese-owned TikTok said in a statement that it disagrees with the decision, "particularly the level of the fine imposed."
It said that the DPC's criticisms related to features and settings which dated back three years and were changed before the investigation even started, including making all accounts for teens under 16 private by default and turning off direct messaging for 13- to 15-year-olds.
"Most of the decision's criticisms are no longer relevant as a result of measures we introduced at the start of 2021 – several months before the investigation began," TikTok's head of privacy for Europe, Elaine Fox, wrote in a blog post.
Why now?
After Instagram, WhatsApp and their owner Meta, TikTok has become the latest tech giant to be fined by the Irish regulator in the last year, as the European Union aims to maintain its position as a global leader in tech regulation. In May, Meta was slapped with a record fine of €1.2 billion ($1.28bn) over data transfers to the United States.
Still, the DPC has been criticized for not moving quickly enough since new EU privacy laws came into effect in 2018. In the case of TikTok, the investigation was delayed last year when German and Italian regulators disagreed with parts of a draft decision.
What next?
A second DPC investigation into whether TikTok complied with the EU's General Data Protection Regulation when it transferred users' personal information to China, where its owner is based, is still ongoing.
The video app has a difficult political standing in the West because it belongs to the Chinese corporation Bytedance, and the European Commission and several European governments have banned the use of the app on the mobile phones of their employees.
To allay such fears, TikTok is trying to gain trust in Europe with its "Project Clover," which entails moving European users' data to new servers in Ireland and Norway. By the end of 2024, European user data will be transferred and stored at these data centers by default.